2

I just came across modifying an existing site that was developed before by someone else.

While making changes in PHP files, I noticed that the variables that are not declared (not even in the included file) are used successfully.

I cannot understand how this is done. Is it using the PHP's magic methods (_get and _set)?

An example scenario is this.

<?php
    if($name != ""){
        //do process
    }
?>

<form method="POST">
    <input type="hidden" name="name" value="" />
</form>

In normal scenario above code would throw an error for undefined variable. I can also see that all variables like above is mainly for hidden inputs or $_GET variables.

But above code works perfectly fine in the site I am developing even though $name variable hasn't been assigned to $_POST['name'] or $_REQUEST...

Can anyone please suggest a way to do such a thing in PHP or am I missing something here.

Sahil
  • 1,959
  • 6
  • 24
  • 44

2 Answers2

1

In older versions of PHP you set register_globals on and thereby convert all elements of the $_REQUEST array (and respectivly the $_POST, $_GETetc.) implicitly to variables like this.

However, as of version 5.4 this feature has been removed as it lead to confusion and possibly security risks as the user could inject variables in your script, if you did not initialize them properly.

So, e.g., if the $_POST array looked like this

$_POST = array ( 'myVar' => 1, 'myOtherVar' => 2 );

with register_globals on PHP generated two additional variables like this:

$myVar == 1
$myOtherVar == 2

References:

Sirko
  • 72,589
  • 19
  • 149
  • 183
1

I would rather check in your php.ini if register_global are on. This will allow variables to be stored without declaring them, all of them ($_POST, $_GET ..) will be converted into variables automatically.

This is a bad pratice and can cause a big security issue. I would like you to check this usefull post

Why is REGISTER_GLOBALS so bad?

Community
  • 1
  • 1
Fabio
  • 23,183
  • 12
  • 55
  • 64